DDoS Defenses Evolve Along With the Threat

With distributed denial of service attacks coming from criminal and even political organizations, what's the best way to keep your systems safe from DDoS attacks? Security mechanisms continue to evolve, but are they enough?

When Internet activist group Anonymous attempted to launch a distributed denial of service (DDoS ) attack on Amazon.com last December, its members quickly discovered that for all of their resources, they were unable to even inconvenience the massive e-commerce site.

The attack was called off and many lauded Amazon for its ability to ward off the DDoS that had been prevalent on the Internet during early- to mid-December, part of Anonymous' Operation: Payback campaign to "raise awareness about WikiLeaks and the underhanded methods employed by the above companies to impair WikiLeaks' ability to function," according to a December 10 press release purportedly from the group.

It is widely believed that Amazon.com was able to easily fend off the DDoS attack from Anonymous because of its already-massive infrastructure, and the bad timing on the part of the attackers. In December, so much traffic was coming into the Amazon.com site due to the rush of holiday traffic, that any spike in traffic from a DDoS was simply lost in the crush of all the other traffic.

(Anonymous' claims differ. In the press release, the activist organization claims that it decided to call off the attack at the last minute, so as not to interrupt holiday shopping. Some members apparently did not get the message, so the resulting DDoS attack was far weaker.)

Regardless of what actually happened on Dec. 9, one thing is very clear: most of the network administrators out there don't work for Amazon.com, and thus any DDoS attack, small or large, poses a serious risk for any online business activity. So how do you go about preventing great harm if a DDoS attack comes your way?

There are, of course, the more well-known prevention methods that any network administrator should be doing already.

DDoS prevention methods you should already be using

Disable any unused services, to minimize the number of open ports and to reduce the chance someone could come in and exploit a known vulnerability. Along those lines, patch everything. Keeping your software as up-to-date as possible will also minimize vulnerability. Firewalls can help, too, but only to a point: They can stop flooding attacks coming in from "odd" ports, but there's no preventing web-based traffic from rolling right in. Also, if you disable IP broadcasting, you can block ICMP-based attacks, such as ICMP packet magnification ("smurf") or ping of death attacks.

These are the general methods that will keep your network generally protected against all but the most sophisticated DDoS. For specific DDoS defense, the most successful techniques have been the use of some sort of IP packet filtering.

Brian Proffitt is a Linux and Open Source expert who writes for a number of publications. Formerly the Community Manager for Linux.com and the Linux Foundation, he is the author of 18 Linux and Open Source books, including his most recent work, Introducing Fedora: Desktop Linux. His online works are read by nearly a half million people on a daily basis.